Geeklog Forums

Hi all,
one of GL users in Japan reported that putting too long a name in group editor can cause a serious DB trouble. This happens with multibyte strings. Let me explain.

1. You put too long a multibyte string as a name of a group into the field, which is 50 characters long.
2. When the string is passed as $_PUT to PHP, it is already broken.
3. The string is saved into DB at lines 464-465 (GL-1.4.1, admin/groups.php).
4. Since the string is broken, the next SQL query (lines 466-467) fails and $grp_id is empty.
5. Finally, SQL queries at lines 486 and 507 delete all records from the gl_access table, because $grp_id is empty.

I know this is rather a rare case, but it can cause a disastrous malfunction. How about checking the length of strings before saving them into DB?

---

-- mystral-kk, "Every cloud has a silver lining."

Thanks for the report. This certainly shouldn't happen.

I've added a quick sanity check for now, but this needs more in-depth research to find out what exactly is going wrong and what we could do about it.

bye, Dirk

Thanks for the quick reply, Dirk. We hope you'll come up with a nice solution.

---

-- mystral-kk, "Every cloud has a silver lining."

The DB_getItem is the culprit. gl_groups uses an auto_incrememt primary key and as such you should be calling DB_insertId() to get that id back from the call to DB_save.


No sure how you fix that off the top of my head. Probably need to do something like:
"grp_name = '" . substr($grp_name,0,50) . "'"